That wasn’t surprising, I expected a /proc read problem based on my previous research, but this nailed it. strace has help me out on a few other occasions (even though I barely understand the output). I really must remember to use it sooner in the troubleshooting process.

Anyway, I delved into the source code for jsvc (jsvc-unix.c) where I was introduced to the world of Linux capabilities. Long story short, I implemented CAP_DAC_READ_SEARCH in the relevant macros, permitting the switched user to read /proc (and any other file on the system for that matter).

I can’t give a definitive word on whether any security issues are introduced by this. CAP_DAC_READ_SEARCH does give unrestricted read access to files but, if I’m reading this right, the permission levels are reduced after the daemon is loaded (see ‘set_caps(0)’ around line 505 of jsvc-unix.c) so this read access, and other escalated permissions, are only granted long enough to get things started.